Apache 2.0.40 was released on 9th August 2002 and is now
the latest version of the Apache server. This is the fourth stable
release of Apache 2.0, following up on 2.0.39 which was released on
18th June 2002. Read our special
feature for more information about the history of Apache
2.0.

This is a security, bug fix and minor upgrade release.
Due to security issues, any sites using versions of Apache 2
on Unix prior to
Apache 2.0.39 should upgrade to Apache 2.0.40. Sites using
any versions of Apache 2 on other platforms should upgrade to
2.0.40.

Security issues

Certain URIs will bypass security
and allow users to invoke or access any file depending on the system
configuration. (CAN-2002-0661)

A path-revealing exposure is present in multiview type
map negotiation (such as the default error documents) where a
module would report the full path of the typemapped .var file when
multiple documents or no documents could be served. (CAN-2002-0654)

A path-revealing exposure in cgi/cgid when Apache
fails to invoke a script. The modules would report "couldn't create
child process /path-to-script/script.pl" revealing the full path
of the script. (CAN-2002-0654)

New features

The new features in this release (added since 2.0.39) are:

mod_rewrite can now set cookies using the CO extension

Performance improvements for the code that reads request
headers

Proxy FTP now works over IPv6

Changes to the internationalized error documents; they are no longer
included by default in the sample configuration file.

Add a new directive, MaxMemFree.
MaxMemFree makes it possible
to configure the maximum amount of memory a particular
childs allocator will
hold on to for reuse. This directive is useful when uncommon large
peaks occur in memory usage.

Support the -w flag on to keep the Win32 console open
on error

Add the ability to enable or disable a filter via
an environment variable.

Apache on Netware will now pull requests off of the
listen queue as fast as winsock will allow without latency introduced by the
accept mutex

During installation Apache will preserve existing installation
directories. Binaries, the build directory, the headers, and the man
pages are all copied. Everything else, the config, htdocs, manual,
error, icons, and cgi directories are not installed if the directories
already exist

Bug Fixes

The bugs fixed in this release include:

Fix a long-standing bug in 2.0, CGI scripts were being called
with relative paths instead of absolute paths. Apache 1.3 used
absolute paths for everything except for SuExec, this brings back
that standard

Accept multiple leading /'s for requests within the DocumentRoot.
BZ#10946

Fixed a mod_include error case in which no HTTP
response was sent to the client if an shtml document contained an
unterminated SSI directive

Prevent infinite recursion if an ErrorDocument
gets an error

Fix segfault in mod_mem_cache most frequently observed when
serving the same file to multiple clients on an multi-processor machine

Various fixes to the experimental module mod_ext_filter
including: Look in the main server for
filter definitions when running in a vhost if the filter definition is
not found in the vhost, BZ#10147.
Fix a segmentation fault if the content-type was not set,
BZ#10617, and ignore any content-type parameters when checking if
the response should be filtered.

Fix infinite loop due to two HTTP_IN filters being present for
internally redirected requests. BZ#10146

Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
scripts would not result in a truncated response.

Fix proxy so that it is possible to access ftp: URLs via a proxy
chain.

Fix perchild to work with apachectl by adding -k support to perchild.
BZ#10074

Fix the long-standing bug in ab where
ab -t10 would loop for 10000 seconds
instead of 10 as documented. Also fix an off-by-one-second error

Fixed parsing of strings to longs which allows HTTPD to deal
with larger files correctly

mod_deflate now checks to make sure that
'gzip-only-text/html' is set so that BrowserMatch
can be used to control the module

Add a filter_init parameter to the filter registration functions
so that a filter can execute arbitrary code before the handlers
are invoked. This resolves a problem where mod_include requests
would incorrectly return a 304. BZ#9673

A problem with the keepalive enumeration caused problems
when mod_dav sends error responses

Platform-specific changes

Support WinNT CGI invocation through
ScriptInterpreterSource
'registry' for script interpreter paths and names with non-ascii
characters in the executable filepath

Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
extended characters (non US-ASCII) in non-utf8 format. This brings
Win32 back into CGI/1.1 compliance, and leaves charset decoding up
to the cgi application itself

When deciding on the default address family for listening sockets,
make sure we can actually bind to an AF_INET6 socket before
deciding that we should default to AF_INET6. This fixes a startup
problem on certain levels of OpenUNIX. BZ#10235